Requirements for ICT Contingency Planning

Transcription

1 MINISTRY OF FINANCE F inland Requirements for ICT Contingency Planning The Government Information Security Management Board 2b/2012 VAHTI

2

3 Requirements for ICT Contingency Planning Government Information Security Management Board 2b/2012 VAHTI

4 Print product MINISTRY OF FINANCE PO Box 28 (Snellmaninkatu 1 A) FI GOVERNMENT FINLAND Tel Internet: Layout: Pirkko Ala-Marttila Juvenes Print Finland University Print Ltd.

5 Instruction VM/1619/ / September 2012 To Government Ministries and Agencies INSTRUCTIONS ON REQUIREMENTS FOR ICT CONTINGENCY PLANNING The objective of the Ministry of Finance s Instructions on Requirements for ICT Contingency Planning is to enhance and harmonise ICT contingency planning within the ministries and organisations in their administrative branches. According to the Government Resolution on Enhancing Information Security in Central Government (26 November 2009), one of the development priorities is preventive measures and contingency planning. According to the Decree on Information Security in Central Government (681/2010), which came into force on 1 October 2010, every central government organisation must achieve the base level of information security by 30 September The base level of information security includes procedures in exceptional situations. These instructions are directed at public sector actors as well as companies in a service agreement relationship with the public sector. The purpose of the requirements is to harmonise key functions with respect to the contingency planning of both the public sector and the private sector. This improves the capacity of services provided and accessed via electronic networks to withstand disruptions and promotes the continuity and recovery of services in exceptional situations. These instructions enhance organisations contingency planning for information security and cyber threats. Central government organisations must take into account the ICT contingency planning requirements outlined in these instructions. The requirements should be extended to the central government s internal and external service providers. In procurement preparations and calls for tender concerning individual systems, it is essential to take into account contingency planning requirements. Guided by the ministries, the administrative branches and agencies should specify for each organisation, service and system the level of contingency they require. Organisations should establish a timetable for the implementation of services in accordance with the contingency levels as well as the adequate resourcing of implementation as part of normal operational and financial planning. Minister of Public Administration and Local Government Henna Virkkunen Government IT Director Mikael Kiviniemi VAHTI Chairman Enclosed: Instructions on Requirements for ICT Contingency Planning (VAHTI 2/2012) FOR INFORMATION: Municipalities

6

7 VAHTI in brief The Ministry of Finance is responsible for steering and reconciling the development of public sector, and particularly central government, information security in Finland. The Government Information Security Management Board (VAHTI), which has been established by the Ministry of Finance, is responsible for steering, developing and coordinating central government information security. VAHTI handles all significant central government information security policy and information security guidance matters. In its work, VAHTI supports the Government and the Ministry of Finance in decision-making and also in the preparation of decisions relating to central government information security. VAHTI s objective is, by developing information security, to improve the reliability, continuity, quality, risk management and contingency planning of central government functions and to promote information security so that it becomes an integral part of central government activity, steering and performance guidance. VAHTI promotes the implementation of the Government Programme, the Decree on Information Security in Central Government (681/2010), the Security Strategy for Society, the Government IT Strategy, the Government Resolution on Security of Supply, the National Information Security Strategy, the Government Resolution on Enhancing Information Security in Central Government and other key policy outlines of the Government. On 26 November 2009, the Government made a Resolution on Enhancing Information Security in Central Government. The resolution emphasises VAHTI s position and tasks as the key body responsible for the steering, development and coordination of central government information security. In accordance with the resolution, the administrative branches allocate resources for the development of information security and for cooperation coordinated within VAHTI. VAHTI acts as the cooperation, preparation and coordination body of central government organisations responsible for the central government's development and steering of information security and data protection, and promotes the development of networked operating practices in public sector information security work. VAHTI s work has improved central government information security, and the effectiveness of its work is evident not only in central government but also in the business sector and internationally. The result is a very comprehensive set of general information security instructions ( and Led by the Ministry of Finance and VAHTI, a number of joint information security projects have been implemented with ministries and agencies as well as an extensive central government information security development programme. For three years in succession, VAHTI has been recognised with an award for its exemplary work in improving Finland s information security.

8

9 Contents VAHTI in brief Introduction Chapter guide Justifications Security environment for ICT contingency planning Structure of contingency planning requirements Formation of requirements ICT contingency planning requirement levels Formation of requirement levels Requirement levels Using the contingency planning requirements Using the requirements in the public sector Applying the requirements in procurement and service agreements Applying the requirements for service providers Contingency planning requirements Leadership Strategic control Organisation Cooperation, communication and reporting Strategies and operational planning Operational planning through risk management Service continuity planning People Developing expertise and awareness Management of human resources and tasks...37

10 4.4 Partnerships and resources Contract management Securing operations in special situations ICT continuity management Lifecycle management of ICT services and systems Ensuring the continuity of ICT services Measurement and reporting...41 Appendix 1 Appendix 2 ICT contingency planning requirement cards...43 Key statutes and instructions directing ICT contingency planning (in August 2012)...81 Valid VAHTI publications...85

11 11 1 Introduction Contingency planning means all of the administrative, operational and technical measures and solutions by which the availability of information and the undisturbed provision of services is ensured. It also covers recovery from disruptions in accordance with service agreements and as specified by service levels ICT contingency planning ensures continuity of ICT activity and safeguards information through risk management during exceptional situations in normal circumstances as well as in emergencies. These instructions are directed at public sector actors as well as companies in a service agreement relationship with the public sector. Uniform requirements are established to harmonise functions which are of key importance to the contingency planning of both the public and private sectors. This improves the capacity of services provided and accessed via electronic networks to withstand incidents and promotes the continuity and recovery of services in exceptional situations. They help organisations in contingency planning for information security and cyber threats. Guided by the ministries, the administrative branches and agencies should specify for each organisation, service and system the level of contingency planning they require; establish a timetable for implementing services in accordance with the specified contingency planning level; arrange resources for implementation as part of normal operational and financial planning.

12 Chapter guide These instructions describe the key principles for the management and implementation of ICT contingency planning. They replace the General Instructions on ICT Contingency Planning (VAHTI 2/2009). This document is meant for management responsible for operational planning. The most important issues for senior management are presented in text boxes. Chapter 4 presents for each subarea the general requirements that must be fulfilled in an organisation s activities and supporting services. After each requirement, an explanation is given of what the requirement means and what it improves from the perspective of contingency planning. The requirement cards in Appendix 1 are intended for actors responsible for service and system implementation and for ICT contingency planning. They describe in more detail the base-level, increased-level and high-level requirements, specifying each general requirement. The cards also give for these requirements examples of possible implementation of the requirement or explain what is being sought through the implementation of the requirement. 1.2 Justifications Contingency planning for exceptional situations in normal conditions is part of the good information management practice of every organisation. The normative basis for contingency planning in emergencies consists of the emergency powers act (Valmiuslaki 1552/2011) and Government Decision 539/2008 on objectives for security of supply. The emergency powers act obliges public authorities to undertake contingency planning. In addition, the Government Resolution on Enhancing Information Security in Central Government (2009) as well as the Security Strategy for Society (2010) play a key role in steering contingency planning and in specifying requirements. The strategy prescribes the vital functions of society that must be secured in exceptional situations in normal conditions and in emergencies. Strategic tasks have been specified for administrative branches with respect to the management of vital functions. In addition to these, each agency and organisation may also have other critical services and tasks associated with their own activities. The vital functions of society and their support services and systems form interdependent networks. Various government actors, citizens, organisations and businesses as well as information and communication technology service providers participate in service networks consisting of service users and maintainers. Services are dependent on the smooth functioning of society s ICT infrastructure. The continuity of ICT services is ensured by the interaction of public authorities, customer organisations and service providers as well as through the application of common operating principles and procedures.

13 13 Figure 1: ICT contingency planning means cooperation across the whole society Threat scenarios Risk management Managing abnormal situations Continuity of ICT services Citizens Public administration Business life Authorities CERT-FI Service providers Availability of society s infrastructure It is essential to ensure that the entire service network is able to continue to operate in accordance with set requirements in various exceptional situations in normal conditions and in threat scenarios outlined in the Security Strategy for Society. From all parts of the network, this requires consistent protection of information at agreed levels as well as the ability to continue operations and services in exceptional situations in normal conditions and in emergencies. Society s vital functions: Management of Government affairs International activity Finland s defence capability Internal security Functioning of the economy and infrastructure The population s income security and capability to function Psychological crisis tolerance

14 Security environment for ICT contingency planning The functions vital to society are the indispensable intersectoral functional entities of society which have to be secured in all situations. Changes in the surrounding society, public administration and the threat environment influence opportunities to provide the services required by vital functions and they should also be taken into consideration in contingency planning needs for services. From the perspective of ICT services, the most important trends in society are: Services, processes, production chains and systems are becoming highly automated, diversified, integrated and networked. Information sharing is expanding and becoming more automated. Services are being acquired from a service network consisting of many suppliers. ICT service chain ownership and contractual relationships are constantly evolving. The significance of international cooperation and control is growing strongly. The threat environment and threats are becoming more unexpected, professional and serious. Figure 2: Interoperability of service network and systems is critical in managing abnormal situations Businesses Other agencies Stakeholders Partners Threat environment Suddenness Unanticipated System A System B Information Assets Base register Service users Municipalities local regional national global seconds minutes hours days weeks Ministries Agencies and institutions

15 Disruptions may occur in both normal conditions and emergencies. Systems and contingency planning measures built in normal conditions provide the basis for measures in emergencies. The threat scenarios of the Security Strategy for Society form a foundation for the planning of joint and integrated service network action in cooperation with public sector actors, businesses and organisations. Different actors can utilise the standardised material when preparing detailed threat assessments of their own fields and when evaluating the effects arising from threats on services. Society today, with its IT-based services, is part of the cyber environment and also susceptible to the threats associated with it. The sudden realisation of threats is typical of the information technology operating environment, as is the rapid and unpredictable expansion of the effects of resulting disruptions. They may affect the information technology assets directly or have an indirect impact on support structures (for example staff). A disruption may arise from a natural phenomenon, an accident, a power outage, an information system error, a quality defect, a telecommunications failure, an equipment fault, an operational or access error, or a communications problem. A disruption may also be caused intentionally, such as by malicious damage, vandalism or a cyber attack (targeted at equipment and systems). Requirements for contingency planning are derived from an analysis of an organisation s tasks, activities and operating environment in relation to threat scenarios. Measures for the prevention and management of disruptions as well as the development of capabilities in relation to them are also formulated on the basis of the analysis. The strong development of the cyber environment, in particular, with its constantly evolving threats creates the need for the continuous assessment and development of contingency planning. 15

16 16

17 17 2 Structure of contingency planning requirements 2.1 Formation of requirements The information management act (Laki julkisen hallinnon tietohallinnon ohjauksesta 634/2011) requires public sector authorities to plan and describe their enterprise architecture to facilitate and ensure the interoperability of public sector information systems. The Act also obliges public sector organisations to comply with interoperability descriptions and specifications, and imposes on the Ministry of Finance a steering and coordination requirement. The Government Resolution on Enhancing Information Security in Central Government (26 November 2009) sets out guidelines for central government to enhance information security as a key aspect of leadership and management, competence, risk management, and administrative reforms and activities. In accordance with the resolution, the specification and implementation of the levels of information security, contingency planning, and protection is based on not only statutes and each organisation s individual objectives but also on the overall guidelines and recommendations on information security and contingency planning levels issued by the Ministry of Finance. The purpose of uniform requirements is to harmonise key functions in the contingency planning of both the public and private sectors. This also promotes the continuity of services in various exceptional situations. In the preparation of contingency planning requirements, EU and central government guidelines and regulations on continuity management and information security have been taken into account. These instructions also specify measures by which the ICT contingency planning requirements can be implemented. The key instructions concerning ICT contingency planning are listed in Appendix 2. The contingency planning requirements (VARE) and the requirements of the Decree on Information Security in Central Government are primarily targeted at public sector organisations. The SOPIVA (contract-based contingency planning) recommendations and the HUOVI contingency planning self-assessment tool have been prepared for the use of companies critical for security of supply.

18 18 The main target group of the National Security Auditing Criteria (KATAKRI) is the public and private sector organisations or their information systems and telecommunications arrangements which have been the subject of a corporate security clearance and which handle international, security-classified information material. The KATAKRI criteria may be used, where applicable, particularly in increased-, highand special-level ICT contingency planning services to verify the fulfilment of requirements relating to the accessibility of information and services as well as premises security. Figure 3: Legislation and guidance directing ICT contingency planning Emergency Powers Act (1080/2012) Information Management Act (634/2011) ICT-palvelujen jatkuvuus Gov. Res Security Strategy for Society Gov. Res Enhancing Information Security in Central Government Gov. Dec Security of Supply Objectives ICT contingency planning requirements Instructions and tools for implementing requirements Organisation/service contingency planning policies and instructions Guidelines relating to contingency planning requirements Special legislation EU regulations KATAKRI Finnish Communications Regulatory Authority regulations VAHTI instructions Public sector recommendations (JHS) Ministry of Transport and Communications instructions National Emergency Supply Agency/ National Board of Economic Defence instructions SOPIVA recommendations 2.2 ICT contingency planning requirement levels Formation of requirement levels ICT contingency planning requirements are set for an organisation s activities and services, and for the implementation of ICT systems and services. The generally applied EFQM 1 and CAF 2 quality assessment models have been used as a reference framework, and the requirements are compatible with the ISO standards and The EFQM (European Foundation for Quality Management) forms a reference framework for enhancing competitiveness and quality while not aiming explicitly to direct what kind of practices organisations should apply. The model used is the assessment basis of the European Quality Award and the Finnish Quality Award. 2 The CAF (Common Assessment Framework) is a quality assessment model for pubic sector organisations jointly developed by EU Member States.

19 19 Figure 4: Criteria directing ICT contingency planning and information security CONTENT COORDINATION IN EFQM FRAMEWORK VAHTI instructions SOPIVA HUOVI KATAKRI Requirement Recommendation Self-assessment criteria Auditing criteria Public sector organisations (226 agencies municipalities) Service providers for public sector Companies critical to security of supply (c ) Networked companies critical to the security of supply (> ) Companies which have concluded a security agreement (c. 200) The basic requirements that form the framework of the requirements are consistent with the SOPIVA recommendations and with the HUOVI maturity assessment model prepared under the guidance of the National Emergency Supply Organisation as well as with the Instructions on Implementing the Decree on Information Security in Central Government (VAHTI 2b/2010). The Decree on Information Security in Central Government specifies requirements relating to the processing of information by public authorities from the perspective of confidentiality. ICT contingency planning requirements focus on the availability of information and services. The ICT contingency planning requirements have been grouped into 6 sections. Sections 1 4 contain requirements relating to the maturity of an organisation or activity from the perspectives of strategic management, operational planning, human resources management and partnership network management. They are intended to integrate the management of ICT contingency planning into an organisation s normal activities. This contributes to safeguarding the continuity of operations and services and the availability of information as part of the service network, also in exceptional situations. Section 5 sets requirements for various technical systems, processes and solutions, and section 6 for the internal and external measurement of operations.

20 20 Contingency planning requirements are general requirements that describe the measures to be implemented in support of contingency planning. They are amplified by base-level, increased-level and high-level requirements, which provide instructions for implementation. The purpose of the requirements is to provide guidance for organisations to develop their activities, the services they provide and the systems they own in an appropriate manner, to prepare contingency plans for various threats, and to prevent disruptions from arising. When a system or service is procured, it is essential to verify that the asset to be procured fulfils the contingency planning requirements set for it. Figure 5: ICT contingency planning requirements are grouped into six categories and three levels Measurement and reporting ICT continuity management Partnerships and resources Leadership Strategies and operational planning People Requirement levels The ICT contingency planning levels also aim to standardise contingency planning measures, so that in networked activities based on partnership and confidence it would be possible to recognise the ability of each party to withstand disruptions. An organisation s functions and services are placed on information security and contingency planning levels in accordance with their needs. Each service may be on the base level for information security and on the high level for contingency planning or vice versa. Achieving an increased or high level of ICT contingency planning, however, also requires the fulfilment at least of the base level of information security. A public authority may, on the basis of its risk analysis, also decide to fulfil certain requirements in a particular service. The selected level may also be implemented with individual additional requirements from the higher levels, for example, to improve the accessibility of a system in the event of evaluated threats. A system s availability requirement may also

21 21 be raised temporarily to a higher service level for the duration of time-restricted events that are known in advance. This matter must be included in service agreements and processes. On all ICT contingency planning levels, a public sector service may be implemented either by the organisation itself, public sector service providers or private sector service providers. On the high contingency planning level, specific assurances should be obtained that the service provider s fault correction expertise and availability are adequate for all disruptions possible in different threat scenarios. Public sector services are placed on ICT contingency planning requirement levels mainly according to Figure 6 on the following page. Figure 6: ICT contingency planning requirement levels Requirement levels Services Telecommunications solutions ICT support organisations SPECIAL LEVEL Special operational requirements or environments HIGH LEVEL Directed by emergency condition needs Vital functions to society Auditing approved by NCSA-FI INCREASED LEVEL Minimum level of critical functions Fast recovery from abnormal situations Audited service providers and services BASE LEVEL Networked electronic services Recovery from abnormal situations Public commercial services and contracts OPEN LEVEL Use of public cloud services No contingency planning needs Transitional state for organisations Operational systems of safety and rescue authorities Health records Base registers Administration services General auxiliary services TUVE VY network Public telecommunications networks Public Cloud Private Cloud HALTIK PVJJK Government service centres and units VIP B U S I N E S S E S Open level In the development of an organisation s contingency planning, the open level is the starting point. The identification of the organisation s contingency planning needs and classification of services onto the various levels of ICT contingency planning have not been completed. The organisation may also, after careful consideration, implement some of its services and systems on an open level, in which case these will not fulfil the ICT contingency planning requirements. They may be, for example, provided from public cloud services. The service may be, for example, added value service to the public that can be out of operation for long periods without an organisation s basic tasks failing to be fulfilled, and people can also obtain a corresponding service from elsewhere. In such services, the customer may not set special requirements concerning ICT contingency planning.

22 22 Every public sector authority must, however, achieve the base level of ICT contingency planning, even though some services do not as planned fulfil the base level requirements and are implemented on the open level. Base level The base level securely enables an organisation s normal, highly networked operations. Typically, most of the systems supporting administration, such as travel management systems, are placed on the base level. Moreover, services and systems whose momentary failure in exceptional situations does not suspend an organisation s core functions are also placed on the base level. Disruptions are overcome through standardised, normal service agreements corresponding to the organisation s operational requirements. Typically, the base level systems main operational focus is during office hours, fault correction can be initiated on the working day following detection and target recovery time from the disruption may be during the next working day. Fulfilling the base-level requirements of ICT contingency planning does not give rise to significant additional costs if the requirements are taken into account from the beginning in the development of an organisation s activities, services and systems. Services and systems already in use are transferred to the base level again in connection with procurement, system modifications and updates. Base-level verification may be done through self-assessment or using external services. Increased level The increased level is intended for an organisation s critical functions. It is appropriate to implement only part of an organisation s operations, services and systems on this level. Services and systems that support the vital functions of society or are important for the public in exceptional situations can also be placed on the increased level. Increased-level systems include patient data systems and base registers in so far as public authorities increased- and high-level services are dependent on them. In organisations that are central for the vital functions of society, a communications system for the management of crisis situations should also be placed at least on the increased level. Contingency planning measures that prevent disruptions and fault-tolerant solutions have been introduced on the increased level. Increased-level systems have round-the-clock monitoring and the capability to initiate fault correction without delay. On the increased level, standby procedures may also be required of a user organisation, ensuring that it can decide on measures in exceptional situations. If telecommunications links from Finland to countries abroad have failed, it is essential to ensure the operation of services and systems important for functions vital to society and for operating in emergencies. In such cases, it is justified to set special requirements for increased-level service providers, for example in relation to services produced abroad and their external audits. In verifying the increased level, it is also recommended that an external party be used.

23 23 High level The high level fulfils the contingency planning needs for large-scale disturbances and emergencies in accordance with Security Strategy for Society threat scenarios in functions requiring special security. High-level systems include the government security network (TUVE) and the operational systems of the security authorities. Services and systems that must operate round the clock and whose short service breaks would result in serious operational disturbances or very significant economic effects are placed on the high level. The high level sets significant additional requirements for an organisation s activities, expertise and systems implementation. High-level systems fall within the sphere of continuous round-the clock monitoring, management and fault correction. High-level systems also require that customer and user organisations have the ability to make quick decisions in exceptional situations. On the high level, it is particularly important to ensure the operation of telecommunications and the availability of information, services, maintenance and expertise, and that these functions are performed under Finnish legislation, taking emergencies into account. Services placed on the high level must operate, even if telecommunications links to countries outside Finland were down. In high-level services, it must be separately specified which information is to be stored and which management measures concerning the criticality of operations or contingency planning for emergencies are to be implemented in Finland. High-level systems should be built so that the destruction of one data centre or telecommunications link does not result in the failure of the system. The services of a party approved by the National Communications Security Authority (NCSA-FI) should be used to verify high-level ICT contingency planning. Special level Critical functions, services and systems are placed on special level when the nature and the availability of the service requires high contingency level as well as measures deviating from common methods and solutions. The placing of a system in the special level is decided by the relevant ministry and approved by the Ministry of Finance. Service and system audits are performed by NCSA- FI or a party approved by it.

24 24

25 25 3 Using the contingency planning requirements 3.1 Using the requirements in the public sector With respect to ICT contingency planning, the Ministry of Finance is responsible for determining and setting contingency planning requirements, issuing instructions and guidelines, and steering implementation. The contingency planning requirements used in the public sector should cover the entire process, also across administrative boundaries. In cross-administrative processes, each part of a process must fulfil the approved requirements. Possible deviations permitted for a particularly compelling reason must be approved separately and discussed with all organisations dependent on the process. The foundation of contingency planning is that every organisation included in a process has fulfilled the base level of information security in accordance with the Decree on Information Security. Each public sector organisation must assess for which of its services and systems the base level of contingency planning is sufficient and which require increased- or high-level contingency planning. This assessment should highlight the needs of stakeholders that use the service. As a rule, systems and services are transferred to the chosen level in connection with a system update or a procurement process or when the system reaches the end of its lifecycle. Public authorities should record for their own activities, services and systems the desired contingency planning levels. They should also include a timetable and the resources for achieving the levels in performance guidance, operational and financial planning, and reporting. The placement of central government joint services and systems on the increased or high level and the coordination of flows of information and processes across administrative boundaries should be determined in cooperation between the ministries, coordinated by the Ministry of Finance.

26 26 The ministries have a significant role in steering the contingency planning of their own administrative branch through performance guidance. Based on the proposals of their agencies, the ministries confirm which systems of their administrative branch are to be placed on the high level in connection with operational and financial planning, performance guidance and monitoring. Public sector organisations should assess the level of their services and systems and, if necessary, issue accreditations in accordance with Ministry of Finance instructions. 3.2 Applying the requirements in procurement and service agreements Every organisation is responsible for including the requirements in any invitations to tender and agreements. When preparing procurement and agreements, attention should be paid to which requirements are suitable as they are and which should be modified due to the nature of the procurement, so that they can be made binding on the service providers. The Ministry of Finance specifies at an early stage the common binding requirements to be applied in procurement. These should also be included as far as possible in public sector joint framework agreements. Each organisation may in its own competitive tendering and framework agreements specify the binding requirements relating to the target of procurement if required by the service being purchased or its own operations. Each organisation must ensure in its service agreements that the requirement level set for a service is conveyed in the procurement chain from the service provider to the network that participates in providing the service. Similarly, steps should be taken to ensure that any restrictions or residual risks inherent in the service are communicated to the service customer and user organisations. The obligation to comply with the base level must also extend to subcontracting terms and to the partnership network. This procedure promotes the improvement of operational continuity in the key business network. Agencies should ensure that requirements are set for external and internal contractual partners and they in turn impose these requirements on their subcontractors.

27 27 Figure 7: Contingency planning requirements must be conveyed across the service procurement chain Information management Customer Seller Integrator Service network User organisation Communication of needs and requirements?? Communication of restrictions/risks?? Service unit X Company C Company D Company E Company F Are services and systems implemented in accordance with operational needs? Are operational and support services and necessary maintenance resources available also in abnormal situations and in emergency conditions? Compliance with base-level and, if necessary, higher-level contingency planning requirements should be recorded in framework agreements and service agreements. No requirements should be added to valid agreements during the agreement period otherwise than for particularly weighty reasons. 3.3 Applying the requirements for service providers Contingency planning requirements should be extended to the public sector s internal and external service providers. The way the requirements are implemented may differ between the operators, as long as the desired objective is fulfilled in the said service or procurement and interoperability in networked operations is maintained. Companies contingency planning for disruptions in normal conditions and for emergencies is based as a rule on their business needs, statutory obligations and requirements specified in agreements. Companies may, on their own initiative, introduce the SOPIVA contingency planning management recommendations to support their business needs. Companies may also apply these contingency planning requirements in their own operations and in the contractual arrangements of their partnership networks. From the perspective of companies, the uniform setting of requirements for central government actors will simplify and standardise the fulfilment of customer requirements and provide a good tool for managing a company s own subcontractor and partnership network.

28 28 Companies providing a service to the public sector may be required to fulfil contingency planning requirements set in procurement and agreements for the service they sell and for related service provision. The implementation of increased- and high-level requirements may be restricted, if necessary, only to the unit that provides or maintains services of the level in question. If a certain way of implementing requirements is for some special reason not prescribed in an invitation to tender, the company may if it so wishes also employ company-specific methods. In such cases, the company should state how the prescribed requirement will be fulfilled using the means employed by the company and propose a solution acceptable to the customer.

29 29 4 Contingency planning requirements 4.1 Leadership Exceptional situations that threaten functions vital to society are generally managed according to the management code for normal conditions. In serious situations, crisis management models in accordance with the Security Strategy for Society are applied. The support of the organisation s management is decisive when developing the operational reliability of the organisation and its services. Management s role is to create the appropriate conditions for the organisation s activities to continue in all exceptional situations. Management decides on the objectives and policy outlines of contingency and continuity planning, and approves resources on the basis of a prepared development plan. The organisation s core operations must function in all exceptional situations outlined in the threat scenarios of the Security Strategy for Society. Figure 8: ICT contingency planning and implementation process Risk analysis Monitoring Reporting Measuring Auditing COSTS SSS threat scenarios Easy-to-use, secure and reliable services, and operationally reliable infrastructure CORE FUNCTIONS Implementation requirements Service level Life cycle management Contingency planning

30 30 To support this, the organisation needs easy-to-use, reliable and secure services, and an operationally reliable ICT infrastructure. Requirements for ICT services as well as an ICT contingency development plan are based on assessments of operational needs and risk and cost-benefit analyses. Feedback obtained through measurement and reporting is used to develop services and ICT contingency planning as part of normal operational and financial planning. Internal communication is used to make staff better aware of the aims and significance of continuity management for the organisation s activities and for individual employees in all situations Strategic control The key task of strategic control is to determine the contingency planning needs of the organisation and services and to integrate contingency planning into performance guidance as an essential part of each organisation s management as well as its operational and financial planning and implementation. Requirement 1.1: The organisation takes into account the legislation related to its activities and services and other standards steering ICT contingency planning, and these are implemented through contingency planning policies and actions. To fulfil its obligations, the organisation must be aware of their existence. Legislation and standards determine the minimum level for the implementation of ICT contingency planning. In addition, the organisation must take into account needs arising from the special characteristics of its activities. Understanding the internal and external interdependencies of functions is an absolute prerequisite for the cost-effective management of contingency planning. Management must ensure that subordinate organisations and units are clearly informed of their assignments and duties in emergencies. Requirement 1.2: ICT contingency planning policies have been specified based on the requirements set by the organisation s activities. Core functions and their support systems must operate as smoothly as possible in exceptional situations. Contingency planning measures must be scaled and targeted in accordance with operational needs. A useful working method is a Business Impact Analysis (BIA).

31 Organisation Contingency planning should be organised as part of normal activity, based on the rules of procedure and task descriptions, so that responsibilities for steering and operating models remain as far as possible unchanged in exceptional situations and emergencies. The organisation s senior management prioritises the measures to be undertaken. Requirement 1.3: Incident management has been outlined, organised and taken into account in steering models. It is important to be able to make decisions and act quickly and effectively. This is possible when clear management responsibilities are known to all parties. Requirement 1.4: ICT contingency planning has been organised and responsibilities assigned as part of normal management, operations and partnership network management. Cost-effective action requires that all parties attend to the contingency planning of their own activities in accordance with common policies. Requirement 1.5: Sufficient resources for the objectives have been allocated to contingency planning and continuity management. The target level should be realistic, and sufficient resources should be allocated to achieving it. Only agreed and tested contingency planning measures help in preventing disruptions and in recovering from them. Specification of objectives and resources should be integrated into operational and financial planning. Requirement 1.6: Contingency planning and continuity management planning are implemented as a joint effort of core and support functions. Senior management appoints the staff members to implement cooperation. Cooperation is necessary so that the support functions essential for the core functions can also be taken into account in continuity planning, and so that the implemented measures are in line with each other.

32 Cooperation, communication and reporting The organisation s management should make the reporting of ICT contingency planning an integral part of the donut dial for annual planning of management group and cooperation meetings. Management should also issue policy outlines and assign responsibilities for internal and external communications in exceptional situations as part of the implementation of operational continuity Requirement 1.7: The organisation s management monitors the development of contingency planning and cyber security as well as continuity planning, and the impacts and costs of these measures. The organisation s management is responsible for the functional capacity of services in exceptional situations. Management should steer contingency planning as part of management group working and demand adequate and explicit information about the state of ICT contingency planning to support decision-making. Continuity management cannot be successfully implemented without the commitment of management. Requirement 1.8: Communication and reporting responsibilities and processes have been specified and organised with key stakeholders. Due to outsourcing and the networked operating approach, organisations are dependent on their key stakeholders in safeguarding the continuity of their operations. Flow of information must work across organisation boundaries. It is essential to ensure the immediate communication of incidents and disruptions that affect services. 4.2 Strategies and operational planning Statutory obligations must be taken into account when developing ICT contingency planning. Planning to safeguard the continuity of operations and services should be implemented as part of operational and financial planning. In operational planning, particular attention should be paid to the dependency of services on other services and other operators and on the created operational chain and network. Risk management should be integrated into operational planning. When threat assessments are made as part of risk management, threat scenarios based on the Security Strategy for Society should be used. The organisation s risk analysis covers both the internal and external operating environment. The analysis of critical tasks comprises the operational risks of the organisation and its stakeholders. The development of contingency planning and continuity management is based on prioritisation of risks related to core and support functions. It is important to specify the desired service level for each service. The level below which a service is no longer viable for the organisation using the service should also be identified. Acceptable measures by which the impact of disruptions can be minimised and the recovery of services can be accelerated to conform to service level requirements should be specified for each service.

33 33 Figure 9: ICT contingency planning is implemented through continuity management process Normal service level Level suspending operations Reducing impact Accelerating recovery time Risk management Continuity planning Decisionmaking Incident management Recovery Information protection Emergency preparedness planning The organisation should have documented the contingency planning principles by which ICT contingency planning, continuity management and information security are implemented. Contingency planning can also be part of an organisation s emergency preparedness planning, implemented according to the Emergency Powers Act and the Rescue Act. Continuity planning includes contingency planning and recovery planning. It is essential to identify the correct order of measures from an effectiveness perspective. Public authorities, organisations that use and provide services, and the services themselves must fulfil at least the base level of information security according to the Decree on Information Security. Continuity planning should be done in cooperation with service providers. Every service provider is bound by agreed measures. The special characteristics of activity in emergencies are taken into account in emergency preparedness planning, which can be implemented as part of normal continuity planning.

34 Operational planning through risk management Risk management is used to scale and target contingency planning measures and resources appropriately to enhance the organisation s operations and its capacity to withstand disruptions. In risk management, the significance of each service and system should be recognised for the organisation s own activities and for functions vital to society. In addition, an assessment should be made of the impact of threats (including information and cyber security threats) outlined in threat scenarios on the operation of services and systems. Services and systems should also be classified according to their criticality, so that corrective measures can be prioritised and targeted in exceptional situations. The systematic assessment of threats is essential in risk management. It is also important to evaluate the tasks and requirements assigned to the organisation as well as the available resources. Based on them, it is possible to determine the most effective measures for ICT contingency planning (Figure 10). Figure 10: Risk management Assessment Threat models Threat assessments Legislation Tasks Protected assets Available resources Risk analysis Business impact analysis Residual risks Protective measures Incident management measures Recovery measures

35 35 Requirement 2.1: In operations, the interaction of the organisation and the operating environment should be taken into account. The operating environment and changes in it affect the organisation s operating capacity. Through interaction, the organisation can anticipate and influence matters affecting its activities. Requirement 2.2: The results of risk management direct the development of contingency planning. Through risk management, development measures can be targeted where the achieved benefit is greatest Service continuity planning Organisations should identify the services and systems that need contingency planning measures, plan the necessary measures and arrange round-the-clock monitoring of important systems. Requirement 2.3: Contingency planning measures support the objectives of the organisation s core operations. Continuity management and information security are not ends in themselves; they must serve the organisation s activities. Requirement 2.4: Incident management and emergency procedures have been documented, training given and exercises held. Clear instructions and exercises create the preconditions for effective action in exceptional situations and facilitate, if necessary, the rapid application of documented processes in new types of situation. Contingency planning for disruptions in normal conditions also serves as a foundation for action in emergencies. If the organisation must make changes in emergencies to operating processes and services, these should be prepared during normal conditions. Requirement 2.5: Round-the-clock activity and CERT-FI cooperation should fulfil the organisation s objectives and obligations. Round-the-clock monitoring of important assets and CERT-FI cooperation are needed to ensure sufficiently fast reaction to threats. These are also important for the formation of the central government s situation picture.